Wednesday, August 5, 2015

Powershell: Automating AWS Security Groups

To provision and manage EC2-Instances
in AWS cloud that comply with industry standards and regulations, Individuals
administrating that should understand the security mechanisms within AWS
framework—both those that are automatic and those that require configuration.Let’s
take a look at Security Group which falls under the latter category.

As there
is no"Absolute
Security Group" which can be
plugged in to satisfy the universal need, we should always be open for its modification.Automating so via
Powershell will provide predictable/consistent results.

What Is Security Group?

Every VM created through AWS Management Console (or via scripts) can have association with one or multiple Security Groups (in case of VPC it can be up to 5). By default all the inbound and out bound traffic flow at instance level is blocked from elsewhere. We should automate the infrastructure to open only the ports satisfying the customer need. This implies that we should add rules to each Security Group for ingress/ egress as per customer requirement.For more details have a look at AWS Security Group

It is duly important to allow traffic only from valid source IP addresses; this will substantially prune security attack surface, use of 0.0.0.0/0 as IP range makes things vulnerable for sniffing or tampering of infrastructure. Traffic between VMs should always traverses through Security Groups, we can achieve this by allowing initiators Security Group- ID as source.Automation ScriptI have kept this as a single block ,if one wishes they can create a function out of it. few things worth considering :

Execution of this script will only materialize given working pair of Secret Key & Access Key

This script make use of filtering functionality, whereby it expect end user to provide some Name-Pattern ,selection of Security Group is driven by aforementioned pattern